Text entry, JavaScript, xAPI, and security

Hi all, I'm looking to collect user names & instructor names from Storyline 3 using text entry boxes and JavaScript. Devlin Peck explains it quite well here: https://www.devlinpeck.com/posts/collect-user-name-storyline/.  We use GrassBlade LRS to collect our xAPI data. I'm concerned about form validation and individuals submitting malicious content to our LRS, and subsequently, our servers, through the text boxes. Can anyone point me to a user-friendly understanding of how to prevent this? Someone on Twitter suggested code that doesn't allow special characters in the text box. I'm looking for exactly what that would look like if that's the answer.

3 Replies
Pankaj Agrawal

Hi Cristina,

If you are using GrassBlade xAPI Companion. You can set the content to: Allow Guests (ask Name/Email)

And, it will automatically ask for Name/Email if the user is not logged in. 

Regarding your concern for user-submitted responses. I guess it is similar to the concerns like "what if I submitted malicious content to Articulate Servers when typing this message?"

There are always some risks. However, we do try to mitigate as much risk as possible. And, we haven't seen any issues so far. 

Pankaj Agrawal
(from GrassBlade) 

Cristina Colquhoun

Thanks Matthew. Thankfully, Pankaj from Grassblade popped in to assist!

Pankaj, that's very helpful and I forgot I could use the ask name/email feature. I'd also like to potentially receive answers to short-answer questions with xAPI. Does Grassblade have protections set up to catch that sort of malicious submission? Our Grassblade data resides on our servers, so I am concerned about even the possibility it could happen. I'd like to set up protections for that possibility, but I'm not sure if it involves more JavaScript code to ensure the form only includes certain things, or if there's a malware program specific to this we should be running. Thanks for your help!